> Due to a recent security incident, all user tokens have been invalidated.
https://status.npmjs.org/incidents/dn7c1fgrr7ng On Fri, Jul 13, 2018 at 1:13 AM, David Barratt <[email protected]> wrote: > It's sad to see how the npm team could have taken steps to mitigate this > situation before hand: > https://github.com/npm/npm/pull/4016 > > Important lesson for everyone (including myself). > > On Thu, Jul 12, 2018 at 11:42 AM C. Scott Ananian <[email protected]> > wrote: > >> Further eslint-related packages seem to be infected: >> https://github.com/eslint/eslint/issues/10600 >> >> All WM devs with publish access to npm should be using 2FA, which would >> mitigate this issue. >> >> All WM node packages should also be using npm shrinkwrap files; we should >> probably audit that. >> --scott >> >> On Thu, Jul 12, 2018 at 11:30 AM, Kunal Mehta <[email protected]> >> wrote: >> >> > -----BEGIN PGP SIGNED MESSAGE----- >> > Hash: SHA512 >> > >> > Hi, >> > >> > If you ran eslint (JavaScript codestyle linter) recently (it was only >> > compromised for an hour), your npm token might have been compromised >> > (~/.npmrc). >> > >> > To identify if you were compromised, run: >> > $ locate eslint-scope | grep -i "eslint-scope/package.json" | xargs jq >> > .version >> > >> > And if any of those show "3.7.2" then you have the bad package version >> > installed. >> > >> > Upstream recommends that you 1) reset your npm token and 2) enable 2fa >> > for npm - both can be done from the npm website. You should probably >> > also check to make sure none of your packages were compromised. >> > >> > There are some more details on the bug report[1]. >> > >> > [1] >> > https://github.com/eslint/eslint-scope/issues/39#issuecomment-404533026 >> > >> > - -- Legoktm >> > -----BEGIN PGP SIGNATURE----- >> > >> > iQIzBAEBCgAdFiEE+h6fmkHn9DUCyl1jUvyOe+23/KIFAltHdC0ACgkQUvyOe+23 >> > /KJpBg//WXBSPKhjmZd43KrHu07NsasWvrU/SAOeBtKjdaLTA3Ry5N+Fdh7LUFFk >> > oEm1rnz6AnfW0LPIbiDn66FTJ7jF1X6sV1GxpKhFQyYs6SL7LL4wT/XplRSwUTTD >> > hHccwuqPueYpD208w0zRcWVO7wpU7Lm+8xFrVwjhK7Q1AF6GzfwtmHy22fY05doM >> > NzXvYgB9urC1fYPQsEO6IhgNH7DT+ZtYOiHnRk2vTgr3fkIjKh4bNEdrnaQ9TOH5 >> > junlio+07llaF/gB/JWycctuy2z2T/zENLPwhy9ZK35DgikGaMsDU7mA6iGgoxhc >> > TQPDnn3Veel7FBXMPCrxYMDgcBCEqENdOfQcbEl9lXDocr7UjQF/0GsvhFncMoIY >> > GCfdSThYV6x/U9StyBdxerbX4fCddPgd2RvKjVgDmOdsOVGCU0/iKyhgrBh3AbfP >> > MNf+AzYCUGvnzfDsDIF+CvJhcddSHX44N5TGLubVwIMIHsvBevC+7D9uHGaLqkem >> > UR8xa489SZ8LOnsL8TgtRaGXNaWqeJX7tIGPtiS5s2bzhRDr8q062VOd3J/Qw3E0 >> > AQSixX+dQezw282RHYpCk3xuRgbN1oKvCEbOyDB97sbo19f+W2k0CmPVxIaDkr50 >> > D729WS+6XvozYaw0z/R1aOWJTJLTe9ZUO/Zi9qhDfQtLVzTz8M8= >> > =WybD >> > -----END PGP SIGNATURE----- >> > >> > _______________________________________________ >> > Wikitech-l mailing list >> > [email protected] >> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l >> >> >> >> >> -- >> (http://cscott.net) >> _______________________________________________ >> Wikitech-l mailing list >> [email protected] >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
